|
|
||
|---|---|---|
| .forgejo/workflows | ||
| debian | ||
| .gitignore | ||
| .pre-commit-config.yaml | ||
| .pylintrc | ||
| build.sh | ||
| check_syncrepl_extended | ||
| icingaexchange.yml | ||
| README.md | ||
| setup.cfg | ||
Script to check LDAP syncrepl replication state between two servers
This script check LDAP syncrepl replication state between two servers. One server is consider as provider and the other as consumer.
This script can check replication state with two method :
- by the first, entryCSN of all entries of LDAP directory will be compare between two servers
- by the second, all values of all attributes of all entries will be compare between two servers.
In all case, contextCSN of servers will be compare and entries not present in consumer or in provider will be notice. You can decide to disable contextCSN verification by using argument --no-check-contextCSN.
This script is also able to "touch" LDAP object on provider to force synchronisation of this object. This mechanism consist to add '%%TOUCH%%' value to an attribute of this object and remove it just after. The touched attribute is specify by parameter --touch. Of course, couple of DN and password provided, must have write right on this attribute.
If your prefer, you can use --replace-touch parameter to replace value of touched attribute instead of adding the touched value. Use-ful in case of single-value attribute.
To use this script as an Icinga (or Nagios) plugin, use -n argument
Requirement
A single couple of DN and password able to connect to both server and without restriction to retrieve objects from servers.
Dependencies
- python 3 (for python 2.7 compatibility, see python2.7 branch)
- python-ldap
Installation
If you plan to use it with NRPE
apt install -y python3-ldap git
git clone https://gitea.zionetrix.net/bn8/check_syncrepl_extended.git /usr/local/src/check_syncrepl_extended
mkdir -p /usr/local/lib/nagios/plugins
ln -s /usr/local/src/check_syncrepl_extended/check_syncrepl_extended /usr/local/lib/nagios/plugins/
cat << EOF > /etc/nagios/nrpe.d/ldap-syncrepl.cfg
command[check_syncrepl_extended]=/usr/local/lib/nagios/plugins/check_syncrepl_extended --nagios --attributes --provider ldaps://ldapmaster.foo --consumer ldaps://ldapslave.foo --basedn o=example -D uid=nagios,ou=sysaccounts,o=example -P secret
EOF
service nagios-nrpe-server reload
Otherwise
apt install python3-ldap git
git clone https://gitea.zionetrix.net/bn8/check_syncrepl_extended.git /usr/local/src/check_syncrepl_extended
ln -s /usr/local/src/check_syncrepl_extended/check_syncrepl_extended /usr/local/bin/
Usage
usage: check_syncrepl_extended [-h] [-p PROVIDER] [-c CONSUMER] [-T]
[--no-check-certificate] [-D DN] [-P PWD]
[-b BASEDN] [-f FILTERSTR] [--page-size PAGE_SIZE]
[-n] [-d] [-q] [--no-check-contextCSN]
[--only-check-contextCSN] [-i SERVERID] [-a]
[-x EXCLUDE_ATTRIBUTES] [--touch TOUCH]
[--replace-touch] [--remove-touch-value]
Script to check LDAP syncrepl replication state between two servers.
options:
-h, --help show this help message and exit
LDAP connection:
-p PROVIDER, --provider PROVIDER
LDAP provider URI (example: 'ldaps://ldapmaster.foo:636')
-c CONSUMER, --consumer CONSUMER
LDAP consumer URI (example: 'ldaps://ldapslave.foo:636')
-T, --starttls Start TLS on LDAP provider/consumers connections
--no-check-certificate
Don't check the LDAP servers certificate
-D DN, --dn DN LDAP bind DN (optional, example:
'uid=mon,ou=sysaccounts,o=example')
-P PWD, --pwd PWD LDAP bind password
-b BASEDN, --basedn BASEDN
LDAP base DN (required, example: 'o=example')
-f FILTERSTR, --filter FILTERSTR
LDAP filter (default: '(objectclass=*)')
--page-size PAGE_SIZE
Page size: if defined, use paged search (using paging
control using LDAP v3 extended control, optional, default:
do not use paged search).
Output:
-n, --nagios Nagios/Icinga check plugin mode
-d, --debug Debug mode
-q, --quiet Quiet mode
Check control:
--no-check-contextCSN
Don't check servers contextCSN
--only-check-contextCSN
Only check servers root contextCSN (objects check disabled)
-i SERVERID, --serverID SERVERID
Compare contextCSN of a specific master. Useful in
MultiMaster setups where each master has a unique ID and a
contextCSN for each replicated master exists. A valid
serverID is a integer value from 0 to 4095 (limited to 3
hex digits, example: '12' compares the contextCSN matching
'#00C#')
-a, --attributes Check attributes values (Default: only check entryCSN)
-x EXCLUDE_ATTRIBUTES, --exclude-attributes EXCLUDE_ATTRIBUTES
Exclude some attributes (only in attribute check mode,
default: contextCSN & auditContext)
"Touch" attribute feature:
--touch TOUCH Touch attribute giving in parameter to force resync a this
LDAP object from provider. A value "%TOUCH%" will be add to
this attribute and remove after. The user use to connect to
the LDAP directory must have write permission on this
attribute on each object.
--replace-touch Replace value instead of adding.
--remove-touch-value Remove touch value if present.
Copyright
Copyright (c) 2017 Benjamin Renard
License
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 3 as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.